Cryptography Series Nine: Key Management

1. Overview of key management

The modern cryptographic system requires that the cryptographic algorithm can be publicly evaluated, and the factor that determines the security of the entire cryptosystem is the secrecy of the key. That is to say, when designing a cryptographic system, the core problem that needs to be solved is the key management problem, not the cryptographic algorithm problem.

A key is a variable part of a cryptosystem. Key management is a set of technologies and procedures for establishing and maintaining key relationships between authorized parties, involving the entire process from key generation to final destruction, including key generation, storage, distribution, negotiation, and use. , backup and restore, update, revoke and destroy, etc.

1.1 Main content of key management

(1) Key generation and verification

The key generating equipment is mainly a key generator, which generally uses a generator device with good performance to generate a pseudo-random sequence to ensure the randomness of the generated key.

(2) Key exchange and negotiation

There are two main forms of typical key exchange: centralized exchange scheme and distributed exchange scheme. The former mainly relies on the "key management center" in the network to distribute keys according to user requirements, while the latter generates common keys based on mutual negotiation between hosts in the network. The generated key is transmitted manually or secretly through a secure channel.

(3) Key protection and storage

There must be strong and effective protection measures for all keys. The key devices that provide cryptographic services require absolute security. The key storage must ensure the confidentiality, authentication and integrity of the keys, and minimize the resident of keys. The core of the key storage, exchange, loading and transmission process is confidentiality, and the flow of key information should be in the form of ciphertext.

(4) Key replacement and loading

The use of any key should follow the life cycle of the key, and it must not be used beyond the expiration date, because the longer the key is used, the greater the probability of repetition, the greater the possibility of leakage, and the greater the risk of being deciphered. In addition, once the key is leaked, it must be replaced and revoked. Key installation can be realized through media such as keyboards, key injectors, and magnetic cards, as well as devices such as smart cards and system security modules (with key exchange functions). Key loading can be divided into host master key loading and terminal master key loading. Both of them can be loaded by a security officer or special equipment, and once loaded, they cannot be read again.

1.2 Principles of key management

(1) Clarify the strategy and mechanism of key management : the strategy is the high-level guidance of the key management system, and the mechanism is the specific technology and method to realize and execute the strategy.

(2) Comprehensive security principle : Proper security management of keys must be adopted in the whole process of key generation, storage, distribution, loading, use, backup, replacement and destruction.

(3) The principle of least rights : refers to the minimum set of keys that are only allocated to users for a certain transaction processing.

(4) The principle of separation of responsibilities : It means that a key should be dedicated to one function, and one key should not be used for several functions.

(5) Key classification principle : For a large system, there are many types and quantities of keys required. According to the responsibility and importance of the keys, the keys are divided into several levels.

(6) Key replacement principle : It means that the key must be replaced on time. Otherwise, even if a strong encryption algorithm is used, as long as the attacker intercepts enough ciphertexts, the possibility of the key being deciphered is very high.

(7) The key should have sufficient length : A necessary condition for cryptographic security is that the key has sufficient length.

(8) The key system is different, and the key management is also different : the traditional cryptosystem and the public key cryptosystem are two types of ciphers with different properties, so there is a big difference in key management.

1.3 Hierarchy of key management

According to the life cycle, function and confidentiality level of the key, the key is generally divided into: session key, key encryption key and master key .

The system uses the master key to protect the key encryption key through a certain cryptographic algorithm , and then uses the key encryption key to protect the session key through a cryptographic algorithm . The session key is based on a certain encryption and decryption algorithm to protect plaintext data . In the entire key hierarchy system, the use of keys at each level is controlled by the key agreement at the corresponding level.

(1) Session Key (Session Key)

The session key is mainly used to encrypt the data exchanged by two communication terminal users , also known as the data encryption key (Data Encrypting Key) . The life cycle of the session key is very short. It is usually generated when the session is established and destroyed after the session ends. It is mainly used to protect the transmitted data. Most of the session keys are temporary and dynamically generated, which can be negotiated by the communication parties or distributed by the key distribution center .

(2) Key Encrypting Key

The key encryption key is mainly used to encrypt the session key to be transmitted , and is also called a secondary key (SecondaryKey), secondary primary key or auxiliary key. The lifetime of the key encryption key is relatively long, because it is mainly used to negotiate or transmit the session key, once it is leaked, all the session keys in its usage period will be leaked.

(3) Master Key (Master Key)

The master key is mainly used to protect the key encryption key or session key, so that these keys can be distributed online. The master key corresponds to the highest level in the hierarchical key structure, which is a secret key selected by the user or assigned by the system, which can be exclusive to the user for a long time, to some extent , the master key also plays a role in identifying the user. It has the longest life cycle and is strictly protected.

2. Key life cycle

The lifecycle of a key refers to the entire process from key generation to final destruction. During this lifetime, keys are in 4 different states:

• ①Pre-use state : the key cannot be used for normal cryptographic operations
• ②Usage status : the key is available and in normal use
• ③ Post-use state : the key is no longer in normal use, but it is feasible to access it offline for some purpose
• ④ Expiration status : the key is no longer used, and all key records have been deleted

Key life cycle diagram proposed by Menezes Orschot and Vanstone, including user enrollment, user initialization, key generation, key installation, key enrollment, key usage, key update, key backup, key recovery, key archiving , key revocation, key cancellation and destruction, a total of 12 stages.

3. Key distribution

Through the key distribution mechanism, one of the communication parties or the key distribution center selects a secret key, and transmits it to the communication parties without letting others (except the key distribution center) see the key. the other side. In order to prevent the attacker from obtaining the key, the key must be updated frequently, and the strength of the cryptographic system depends on the key distribution technology.

According to whether a third-party trusted organization is needed, secret key distribution can be divided into two ways: non-central key distribution and central key distribution.

3.1 Centralized key distribution

The centerless key distribution method does not require the participation of the key distribution center, and the user directly transmits the key to the other party, and the participating parties need to share the system parameters or secret key, or the public key of the other party in advance.

(1) Key distribution with keys

The communicating parties pre-distribute a shared key through a secret channel, also known as the key encryption key, or know the public key of the other party.

The key distribution process is as follows:

• A sends a request to B to establish a session key and a one-time random number $N_1$
• B encrypts the response message with the master key shared with A, and sends it to A. The response message includes: the session key selected by B, B's identity, f ( N 1 ) f(N_1 $f(N_1)$ and another one-time random number$N_2$
• A encrypts f ( N 2 ) f(N_2) with the newly established session key$f\left(N_2\right)$ and send to B

(2) Key distribution without key

Shamir proposed a keyless distribution protocol, setting the initialization parameter as a public large prime number $p$ , the key distribution process is as follows:

• ①A randomly selects a value less than $p-1$ 's secret number$a$ , then choose a random key$K(1\le K\le p-1)$ As a session key for communicating with B, calculate$K^a\mathrm{m}\mathrm{o}\mathrm{d}p$ sent to B
• ②B receives $K^{a}modp$ , randomly select one less than$p-1$ 's secret number$b$ , compute$（K^a{)}^{b}modp$ is sent to A;
• ③A performs a − 1 a^{-1} on the received value$a^{-1}$ power exponent operation, get$K^{b}modp$ sent to B
• ④B performs b − 1 b^{-1} on the received value$b^{-1}$ power exponent operation to get the session key$K\mathrm{m}\mathrm{o}\mathrm{d}p$。

Shamir's keyless distribution protocol does not provide identity authentication, neither A nor B can prove their identity to each other. If attacker C intercepts the message sent by A to B, he can impersonate B to communicate with A. Therefore, when using this protocol, other supporting protocols are required to provide identity authentication.

3.2 Centralized key distribution

If all users are required to support encrypted services, any pair of users wishing to communicate must have a shared key. If there are n users, a total of $n(n-1)/2$ keys. As the number of users increases, the number of keys that need to be pre-allocated will greatly increase, and the number of keys that each user needs to manage will also increase.

In order to solve this problem, a key distribution center (KDC, Key Distribution Center) is introduced to manage the key distribution. Each user must have a shared key with the key distribution center, called the master key. The key assigned to a pair of users through the master key is called a session key, which is used for secure communication between the pair of users. Once the communication is complete, the session key is destroyed. Each user in the system only needs to save the pre-distributed key with the key distribution center.

Needham-Schroeder key distribution protocol

In 1978, Roger Needham and MiKe Schroeder proposed the Needham-Schroeder key distribution protocol, which centrally generates secret keys. Its design ideas have far-reaching influence, and the most famous derivative protocol is the Kerberos key distribution protocol .

The protocol flow is as follows, where $C$ stands for Key Distribution Center,$A$ and$B$ is the communication party.

• ①$A\to C：I{D}_A,I{D}_B，N_A$

  $A$ to the key distribution center$C$ sends plaintext messages$I{D}_A,I{D}_B，N_A$

• ②$C\to A：E-K_{AC}(I{D}_B，N_A，K_{AB}，E-K_{BC}(I{D}_A,K_{AB}))$

  Key Distribution Center $C$ to$A$ sends certificate$E-K_{BC}(I{D}_A,K_{AB})$ , and by$A$ forwards this certificate to$B.$ _ Since only$A$ has the key KACK_{AC}between the same key distribution center$K_{AC}$, so only $A$ can decrypt this message, thus preventing someone from impersonating$A$ risk caused by submitting a request to the key distribution center.

• ③$A\to B：E-K_{BC}(I{D}_A，K_{AB})$

  $A$ to$B$ transfer certificate$E-K_{BC}(I{D}_A,K_{AB})$ , since only$B$ owns$K_{BC}$, so only $B$ can interpret this certificate to obtain the session key$K_{AB}$。

• ④$B\to A：E-K_{AB}(N_B)$

  $B$ same$A$ performs a challenge response.

• ⑤$A\to B：E-K_{AB}(N_B-1)$

  $A$ responds to$B$ 's request, and the random number$N$ minus$1$ , indicating$A$ is online and can communicate.

This protocol also has loopholes: $B$ can't judge that he is from the key distribution center viaAAKAB K_{AB}received by$A$$K_{AB}$Is it new. Therefore, once $K_{AB}$leaked, anyone can impersonate $A$。

4. Key agreement technology

The purpose of the key agreement is that the communication parties exchange information in the network to generate a session key shared by both parties. A typical key agreement is the Diffie-Hellrman key exchange protocol, which is a two-party key agreement scheme without identity authentication requirements. The improved end-to-end protocol (Station-to-Station Protocol) based on this agreement is a A more secure key agreement protocol.

4.1 Diffie-Hellman key exchange protocol

The Diffie-Hellman key exchange protocol was proposed by Diffie and M.Hellman in 1976, which can be used to securely negotiate a key between communicating parties in a network environment. The implementation process is as follows:

set $p$ is a large prime number,$g\in Z_p$is mod ppa primitive element of$p$$p$ and$g$ is public and shared by all users.

• (1)$A$ randomly selects a large number$a(0\le a\le p-2)$ Calculate$g^a\mathrm{m}\mathrm{o}\mathrm{d}p$ sent to$B$
• (2)$B$ randomly selects a large number$b(0\le b\le p-2)$ Calculate$g^b\mathrm{m}\mathrm{o}\mathrm{d}p$ sent to$A$
• (3)$A$计算$k\equiv （g^b{)}^{a}modp$
• (4)$B$ calculates$k\equiv （g^a{)}^{b}modp$

Communication both sides $A$ and$B$ each calculates a common session key$k$:$$k\equiv （g^b{)}^{a}modp\equiv （g^a{)}^{b}modp\equiv g^{ab}modp$$

The two-party Diffie-Hellman key exchange protocol is easily extended to three or more people's key agreement. However, as the number of people increases, the number of communication rounds increases rapidly, so this method is not suitable for group key agreement in real communication.

The Diffie-Hellman key exchange protocol does not include the identity authentication process of the communication parties, and is in $A$ and$An\; attacker\; in\; the\; middle\; of\; B$ 's ​​communication can intercept and replace the key agreement interaction message between them, so as to monitor their communication content. This attack is called a man-in-the-middle attack.

4.2 Peer-to-peer protocol

In order to overcome the man-in-the-middle attack, W.Diffie and PCVan Orschot et al. proposed an improved protocol of the DH key agreement protocol-end-end protocol (STS) in 1992. This protocol introduces a digital signature algorithm based on the public key infrastructure, and in the communication process Authentication of both parties.

Assuming there is a trusted center CA, its signature algorithm uses $Signmeans\; thatthe$ corresponding signature verification algorithm uses$V$$Versaid$ .$\_$Each user in the domain can register with the CA in advance and apply for a public key certificate,

$C(A)$、$C\left(B\right)$ represent user AArespectively$A$ and$B$ 's certificate, Sign^ and Sign; represent the signature algorithm using A private key and B private key respectively

The simplified end-to-end protocol description is as follows:

set $p$ is a large prime number,$g\in Z$ is moduloppa primitive element of$p$$p$ and$g$ public.

(1)$A$ randomly selects$a$ ,$0\le a\le p-2$，计算$g_a\equiv g^a\mathrm{m}\mathrm{o}\mathrm{d}p$ sent to user$B$。

(2)$B$ randomly selects$b$，$0\le b\le p-2$ , calculate$g_b\equiv g^{b}modp$及$S_B=Sig{n}_B(g_a,g_b)$ , will$(C(B),g_b,S_B)$ to user$A$。

(3) User $A$ first verifyC ( B ) C(B)Validity of$C$$($$B$$)$$B$ 's signature$S_B$effectiveness. Confirm $S_B$After valid, calculate $S_A=Sig{n}_A(g_a,g_b)$，把$(C(A),S_A)$ to user$B$ , and calculate$K\equiv g_b^a\mathrm{m}\mathrm{o}\mathrm{d}p$ as the session key.

(4)$B$ also first verifyC ( A ) C(A)Validity of$C$$($$A$$)$$A$ 's signature$S_A$effectiveness. Confirm $S_A$After valid, calculate $K\equiv g_a^{b}modp$ as the session key.

5. Key Escrow

Key escrow, also known as escrow encryption, refers to providing better secure communication for the public and users, and at the same time allowing authorized persons (including government secrecy departments, enterprise technical personnel and special users, etc.) Some communication content and can decrypt related ciphertext. Key escrow is also called "key recovery", or understood as "trusted third party", "data recovery" and "special access". It has no absolute privacy and absolutely untraceable anonymity for individuals.

The means of its realization is to link the encrypted data with the data recovery key. The data recovery key does not have to be the key for direct decryption, but the decryption key can be obtained from it.

5.1 Basic Composition of Key Escrow Cryptosystem

The key escrow encryption system is mainly composed of three parts:

• User Security Component (USC, User Security Component) : Consists of hardware devices or software programs, used for data encryption and decryption in user security communications, and supports key escrow and data recovery functions. Transmitting a Data Recovery Field (DRF) while transmitting secret information can help authorized agencies intervene in communications with emergency decryption measures.

• Key Escrow Component (KEC, Key Escrow Component) : It is composed of key escrow agent, data recovery key, data recovery business and escrow key protection. It mainly completes key escrow agent operation, data encryption storage and use and other business services.

• Data Recovery Component (DRC, Data Recovery Component) : It consists of dedicated algorithms, protocols and necessary equipment, capable of recovering plaintext from ciphertext, DRF, and the escrow key K provided by KEC. DRC features include real-time decryption, review processing, and more. However, DRC should only be used when performing prescribed legal data recovery.

User security component USC uses key $K_s$Encrypt the plaintext information, and transmit the data recovery field DRF together with the ciphertext, and the data recovery component DRC uses the information contained in the DRF and the information provided by the KEC to recover the plaintext.

5.2 Managed Encryption Standards

In order to effectively control the use of encryption technology, the US government proposed the Clipper plan and key escrow encryption technology in April 1993. The essence of key escrow technology is to suggest that the federal government and industry use a new federal encryption standard with key escrow functions, namely Escrowed Encryption Standard (EES, Escrowed Encryption Standard) , also known as Clipper proposal . The EES standard was officially announced and adopted by the US government in February 1994.

The core of the EES standard is an anti-tampering chip called Clipper, which is a cryptographic component implemented by software and hardware developed by the US National Security Agency (NSA). It has two main features:

• a cryptographic algorithm. Internally, Skipjack's block cipher algorithm is used to implement it. The key length is 80bit, and the plaintext and ciphertext lengths are both 64bit. There are 4 working modes: ECB, CBC, OFB, and CFB. The unit key (UK) of the chip is jointly provided by two organizations called Escrow, and is used to encrypt and decrypt messages communicated between users.

• Authority to provide "backdoor recovery" protection for law enforcement. That is, through the Law Enforcement Access Field (LEAF, Law Enforcement Access Field), within the scope of this control domain, relevant departments can realize the decryption of user communications under the authorization of the law.